Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:


Home / News
Accountability leaves us with wax in hand, but privacy is still an open construction site

Accountability leaves us with wax in hand, but privacy is still an open construction site

Privacy is a construction site that is still open. Indeed, the foundations have not yet been completed. It will be possible to say that there is time and that there are no peremptory deadlines to be met. But it is objective that the GDPR is of 2016, which became operational in 2018 and equally indisputable is that there are not yet the expected ad hoc rules, for example, for health or for small and medium-sized enterprises.

A non-exhaustive picture of the agenda is drawn from the table, published in conjunction with this article, which contains 16 deferrals, yet to be implemented, of the Privacy Code and the GDPR.

Much, of course, has been done (think of revisiting the “old” general permissions and reviewing some old codes of ethics). But so does it.

Here, of course, you don’t waste time playing the game of pointing your finger at anyone, because it is difficult to put yourself on the side of those who are entitled to throw stones.

If, on the institutional side, there are still, and in crucial areas, deontological rules, measures of guarantees, guidelines, it is disheartening to note that, on the side of civil society and the economic world, there is a lack of proposition of codes of conduct.

In recent years I have dared to describe the GDPR sometimes as a tangle and sometimes as a puzzle, but beyond the race, sterile, to draw the most evocative image, the fact remains that the interested, the holders and those responsible for the treatment need a network of certainties and not a web, which hides ugly surprises.

A few years ago, during a Federprivacy Privacy Day, I organized a roundtable discussion and asked the participants to answer with affirmative and non-doubtive tones, and the first question I asked was “what are the firm points of the GDPR?”. I was dismayed by the response of one of my interlocutors, who with a suggestive joke replied “the only sticking point of the GDPR is that there are no firm points”. The dialectical game of paradox is always effective and appreciable. But the paradox proves useful if it is the rhetorical argument that triggers and catalyzes the overcoming of himself.

If there are no staples and if, however, we need staples, then, unless you choose asthenic inertia, you have to plan routes, tools, chronoprogrammes and objectives.

It is important to point out that all this asks us the principle of accountability … indeed, the trick of accountability.

Read positively, accountability cuts out on individual organizations the dress of privacy as a tailored suit (how many times we have heard it said at conferences by everyone and someone else we will still hear it in the future).

Read in negative, accountability leaves us with the wax in hand, to wait fatally to be reprimanded, corrected and sanctioned and this for not being able to trace rules defined in the volatility of the framework of a GDPR, which at every turn proclaims the dogma of solutions “case by case”: but in doing so does not fade, with the risk of extinguishing, the norm that, we children of Roman law, we are accustomed to consider general and abstract (valid for “n”

Then, forced and resigned to consider the responsibility of the recipient of the norm as the effect of the deresponsibility of the legislature, we can do nothing but take on the burden of writing the “firm points”.

We have to do it out of survival instinct.

Even in the absence of “firm points”, holders and managers are subject to corrections and penalties, which are prescribed and incited with the rules that are there (nor could you do otherwise, it will be said).

And, in this regard, we say two things that we probably all thought (but we didn’t always dare to say).

First of all, Article 5 GDPOSPY is monstrous (of course in an etymological sense): in its vague indeterminacy and in its autonomous disputes find space, even ex post, all possible human conduct, with good peace of the predictability of the consequences of its behaviors and the guarantees that this need carries with it (at least until, in 1215, King John was forced to release the Magna Charta).

Secondly, equally impressive is the scissors of the administrative sanctions of the GDPR, which, depending on the offences, goes from zero to, respectively10 and 20 million euros: it seems almost ironic to read that an “unusual amplitude of the sanction range” represents an “anomaly” (an argument artfully extrapolated from the ruling of the Constitutional Court No. 156/2020 and, here, consciously used for the purposes of the description of the sanction system of the GDPR).

The tools for turning the pieces of privacy discipline are called codes of conduct, ethical rules, guidelines, warranty measures, and so on.

It is palissian to remember, on the point, that a rule is such if it has a degree of generalized acceptance. Equally obvious and consequential is to hope (i.e. to expect and wait) for the exponential organisations of certain categories, i.e. certain interests, to become protagonists of the drafting of the codes of conduct, but also of the texts-towels of the acts of competence of the authorities. Certainly not to invade the field, but only to offer the collaboration of those who are closest to the treatments and is, therefore, able to describe in more detail the various positions.

To the authorities, of course, the decision-making competence, but the direct successor of the accountability of the individual owner/responsible is the involvement of the protagonists of the treatment in the writing of the rules (which, must be, of course, general and abstract).

The sooner this path is taken, the sooner the beneficial effects will be felt, including in terms of social acceptance of the rules, acceptance that is the key to the effectiveness and success of the rules themselves.


Recommended to you

Advanced Research